diff --git a/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch b/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch new file mode 100644 --- /dev/null +++ b/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch @@ -0,0 +1,48 @@ +Index: krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- krb5-1.6.3.orig/src/lib/gssapi/spnego/spnego_mech.c ++++ krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c +@@ -1815,7 +1815,8 @@ get_input_token(unsigned char **buff_in, + return (NULL); + + input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes); +- if ((int)input_token->length == -1) { ++ if ((int)input_token->length == -1 || ++ input_token->length > buff_length) { + free(input_token); + return (NULL); + } +Index: krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c +=================================================================== +--- krb5-1.6.3.orig/src/lib/krb5/asn.1/asn1buf.c ++++ krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c +@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1bu + + asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef) + { ++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; + subbuf->base = subbuf->next = buf->next; + if (!indef) { ++ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; + subbuf->bound = subbuf->base + length - 1; +- if (subbuf->bound > buf->bound) +- return ASN1_OVERRUN; + } else /* constructed indefinite */ + subbuf->bound = buf->bound; + return 0; +@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstri + { + int i; + ++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; + if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; + if (len == 0) { + *s = 0; +@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstrin + { + int i; + ++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; + if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; + if (len == 0) { + *s = 0;